preventing a user to start a process
Thomas Krause
freebsd-isp at chef-ingenieur.de
Mon Jul 25 23:26:14 GMT 2005
Hi,
Gustavo A. Baratto schrieb:
> Use php safe_mode. This will prevent the execution of external commands
> from php. Depending on you what you mean by "usable", this may be a
> problem.
I think, that is not usable on a running system - too much sites
will not work.
>
> Or make sure php doesnt allow uploads to /tmp or /var/tmp (disable FTP
> in PHP). This will prevent the ircs or any other scripts to be uploaded
> in the first place.
that's not the solution. The probleme is the possibility to execute
commands via shell. With that, every user with access to the
php files is able to do a
- find / -type d -perm 1777
- mkdir /tmp/foo
- fetch ...
- tar xzf
- run daemon
(I found this on my webserver)
I've searched all php-files for the system()-funktion - it's not
possible for me do disable this function.
Any ideas?
Regards,
Thomas.
>
>
> ----- Original Message ----- From: "Thomas Krause"
> <freebsd-isp at chef-ingenieur.de>
> To: <freebsd-isp at freebsd.org>
> Sent: Monday, July 25, 2005 1:06 PM
> Subject: preventing a user to start a process
>
>
>> Hello,
>> is it possible to bar a user (www) from starting a process?
>> I've a irc daemon running under the uid www. I think
>> this was done by php. What would be the best way to prevent
>> this (php should be remain usable)? I've installed ipfw rules,
>> but this doesn't prevent the starting of the process.
>>
>> Kind regards,
>> Thomas.
>> _______________________________________________
>> freebsd-isp at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>>
>
More information about the freebsd-isp
mailing list